What Then?

[originally published in Enterprise Conversation, a UBM/DeusM publication ]

This is one of the growing number of categories for stories
I’ve recently been told, by people who get paid a nice sum, you care not one
whit about. James
Thurber collected “sweeping generalizations” (e.g., “There are no pianos in
Japan”) and, in his honor, I’m collecting unsympathetic topics. I may be too sympathetic with readers to be a
good judge of what constitutes an unsympathetic topic, but I’ve gained a lot of
feedback from editors and other non-readers (you know who you are… at least, so
I’m told) and am taking copious notes.

Early this year, I had a blast covering the RSA
2012 security conference in San Francisco, partly because it brought together
the brightest experts in the field of information security — a topic about
which I care deeply, though I’ve been told that’s symptomatic of my disease —
for legitimate discussion and deep thinking about topics
like cloud security that I’m told you care nothing about.

I Can’t Get No…

Having covered the Windows XP + Outlook e-mail security
debacle in the previous decade, my immediate take-away from the RSA conference
(and perhaps for 2012 as a whole) is that this time we are asking smarter
questions about cloud security. Oh sure,
we saw the public relations disaster that was the RSA company’s response to its
own security breach (far more potentially damaging to your personal security
than anything involving Microsoft): With
the aid of a gospel choir, RSA Corp.
literally sang its official response to the massive March
2011 SecurID security token breach, to Rolling Stones music: “You can’t always get what you want.”

That’s what happens whenever you let public relations handle
incident response. Not smart.

But let’s be honest:
Security is not (thankfully) a service of anyone’s public relations
department. For once, the businesspeople
who have their minds fine-tuned to this problem are asking the right questions. The most important of these questions, in my
opinion, is this: If in every massive
breach incident, the fault can be traced to design,
then why can’t cloud architectures enable designs for a virtual envelope that have
no practical correlation — that are physically impossible?

One such example was floated
last year by VMware, and is still under consideration: a system that issues
enterprise employees virtual, smartphone-capable, business oriented
communications environments that do not
exist at any centralized location anywhere in the world. Cloud architecture is enabling engineers to
realize that virtual machines do not have to be constructed in parallel with
real ones. What makes them virtual is
the client, the perception of continuity on the part of the user, like a kinetic
sculpture viewed from a particular angle.

It may be far more difficult to breach the security of an
entity whose borders transcend any known concept of physical boundary.

BYOD Party

When the enterprise thinks of cloud insecurity, the picture
that immediately pops into mind is not RSA but Dropbox. The rapid rise of Dropbox and the other
services in its category is on account of businesses’ need to more directly and
conveniently share information between their employees. It speaks volumes about the slow moving
nature of evolution in IT that even chief executives should breach their own
policies and invest so much of their trust on an unhardened architecture
designed not for business but for consumers.
This whole “consumerization
of IT” is getting more like a revolution every day, because we’re starting
to see the bloodbath.

Yet even the Dropbox incident(s) is not indicative of an
endemic fault with the cloud, or with cloud architectures specifically. In fact, the fault line lay not in the cloud
but at ground level: Password protection
is ridiculous. If there is a fault-proof
system of authentication and session protection in our future, passwords will
have nothing to do with it.

And that’s the problem… if you think about it, which is the
very thing certain parties would prefer you not
do. An entire industry is leveraged
around the continued existence of certain elements of our information
infrastructure whose existence is threatened by the cloud: endpoints. Passwords are the
crux of endpoint security, and in a world with no endpoints, security providers
would be forced to seek new jobs.

The key to prolonging the status quo is postponing
debate on the future. For that to
happen, you need to disavow all interest in the problem at hand. You have to be, as I’m told you already are,
disinterested. And I believe that about
as much as I believe another article in Thurber’s collection: “Women don’t sleep very well.”

Scott Fulton On Point

First there was the wheel, and you have to admit, the wheel was cool. After that, you had the boat and the hamburger, and technology was chugging right along with that whole evolution thing. Then there was the Web, and you had to wonder, after the wheel and the hamburger, how did things make such a sudden left turn and get so messed up so quickly? Displaying all the symptoms of having spent 35 years in the technology news business, Scott Fulton (often known as Scott M. Fulton, III, formerly known as D. F. Scott, sometimes known as that loud guy in the corner making the hand gestures) has taken it upon himself to move evolution back to a more sensible track. Stay in touch and see how far he gets.

Scott M. Fulton, III, is the author of this blog, and all text contained therein is his own unless otherwise noted explicitly. Some content may have appeared in other publications first, before being reprinted here, and is reprinted according to publishing agreements. Scott Fulton is always responsible for his own content.